File security plan proposed

A group of vendors, led by US vendor Tripwire, has announced plans to develop a database that IT managers could use to verify the authenticity and integrity of the files built into packaged software.

Hewlett-Packard, IBM, RSA Security, InstallShield Software, and Sun Microsystems are also involved in the File Signature Database (FSDB) effort. The repository will store metadata about individual files created by each of the vendors, such as the file's name, a ‘born-on’ date and its digital hash values.

Corporate users then can check the software running on their systems against the ‘good file’ information contained in the FSDB to make sure that files haven't been improperly modified or corrupted by viruses, said Wyatt Starnes, president and CEO of Tripwire.

Although some software from vendors such as Sun, IBM and Microsoft lets users verify the integrity of files, there is currently no common way for users to do so across multi-vendor applications, Starnes said.

The FSDB plan sounds like "a great initiative," said Ken Tyminski, chief information security officer at Prudential Financial in New Jersey "It will give people the ability to ensure the code they have is really the right code," he noted. "If you think something is not at the right level or has been altered, you can look it up."

Doing that now involves going to multiple sources to get the correct file information, Tyminski said. He added that he hopes more vendors join the FSDB initiative to further simplify the verification process for users.

Validating the authenticity of files could also be helpful from a regulatory compliance standpoint, said John Freeman, a senior process control systems engineer at Pittsburgh-based Bayer, the U.S. subsidiary of chemicals and pharmaceuticals maker Bayer.

"I'm working in an FDA-regulated environment where we're required to maintain change control on all our software systems that are used in the production of [drugs]," Freeman said. "It can be a pretty large job doing that. This tool will help simplify and streamline that process."

The FSDB currently is populated with more than 11 million file signatures from the participating vendors. Each charter member will add new file information to the database when software products are released or updated, according to Tripwire.

The initiative is open to all software vendors, and Tripwire said the database will be accessible to any users with legitimately licensed applications. In addition, the FSDB will be made available to U.S. government and law enforcement agencies for potential use in cybercrime investigations.